Electronic messages, such as electronic mail messages (or in short e-mails), instant messages, electronic fax messages and so on, are frequently used for spreading malware or spam over a large number of networked computer devices. In this context, the term “malware” or “malicious software” refers to any software or software portions used to disrupt computer operations, data sensitive information, or gain access to private or corporate computer systems. Malware embedded in or attached to electronic messages and distributed via electronic messages can include, amongst others, viruses, worms, Trojan horses, ransomware, scare-ware, adware and/or other malicious programs. The term “spam” refers to unsolicited messages which are sent to a large number of message receivers and which usually contain unwanted advertising content or other type of junk content not solicited by users.
Spam messages, such as spam mails, are often sent by botnets or “zombie networks.” A botnet or zombie network is a network of infected computer devices which can be accessed and used by hackers for malicious purposes. For instance, botnet computer devices can be used by hackers for performing spam attacks in an anonymous way or for participating in distributed denial-of-service attacks. Since such attacks originate from many distributed infected computers, but not from the original hacker, it is difficult to identify and bring under control such attacks. In practice, it takes some time until conventional antimalware systems or spam filters are capable to detect such botnets attacks. However, the more time passes, the more spam messages or malicious content can spread over the internet and infect computers.
US 2009/0265786 A1 describes an automatic botnet spam signature generation technique on the basis of a set of unlabeled emails. The technique works as follows: a set of unlabeled emails is used as input and the URLs contained in the set of emails are extracted and grouped into a plurality of URL groups according to their domains. Thereafter the generated URL groups are analyzed in order to determine which group best characterizes an underlying botnet. The URL group which best represents the characteristics of a botnet (that is, which exhibits the strongest temporal correlation across a large set of distributed senders) is selected.
Accordingly, there is a need for a new detection technique capable of detecting suspicious or malicious electronic messages in communications networks in a fast and efficient way.